PullSecret management for operators and their workload

thetechnick commented 2 years ago

Type of question

Best practice, general context/help :)

Question

What did you do? We want to deploy a large operator with multiple dependencies from a private repository, the structure looks like this:

+--------------+         +--------------+
|Private Repo 1|         |Private Repo 2|
+----^---------+         +----^---------+
     |                        |
+----+----+              +----+----+<------------------------+
|Catalog 1|              |Catalog 2|                         |
+----^----+              +----^----+<--------+               |
     |                        |              |               |
+----+----+              +----+-----+   +----+-----+   +-----+----+
|Top level|  dependency  |Operator 1|   |Operator 2|   |Operator 3|
|Operator +------------->+----+-----+   +--^---+---+   +---^------+
+---------+                   | dependency |   |dependency |
                              +------------+   +-----------+

Now it's easy for us to add pullSecrets to the CatalogSources of Catalog 1 & 2, as described here: https://olm.operatorframework.io/docs/tasks/make-catalog-available-on-cluster/#using-registry-images-that-require-authentication-as-catalogbundleoperatoroperand-images

But we have a hard time to figure out how to best setup the pull secrets for the operand workload itself.

We cannot use the cluster global pull secret, because we already have differently scoped credentials for the same registry (quay.io) included. https://docs.openshift.com/container-platform/4.7/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets Even if we could use the global pull secret, we would very much prefer to have the pull secrets scoped to just a single namespace/stack, as we want to deliver operator stacks, like this multiple times into the same cluster, which makes managing these secrets in a central place a bit tricky.
Every Operator get's it's own ServiceAccount to isolate RBAC, so patching the default ServiceAccount will not give us pull permissions for every operand.
Patching every Operator in the dependency chain to specify imagePullSecrets as part of their deployment specs within their CSV and to ensure that these Operators deploy all their pods with this set explicitly is very prone to errors and a lot of work.

What did you expect to see? A simple UX to handle private registries via OLM. e.g. by being able to specify pull secrets as part of a Subscription, similar to a CatalogSource, so the pullSecrets are added to ServiceAccount created by OLM?

What did you see instead? Under which circumstances? Manual patching after installation or massive amount of work to handle pullSecrets within a whole product chain.

Environment

operator-lifecycle-manager version:
Kubernetes version information: OpenShift 4.9.22
Kubernetes cluster kind: Manged OpenShift / OSD / ROSA / ARO

Additional context Ref, similar question: https://github.com/operator-framework/operator-lifecycle-manager/issues/2307

nb-ohad commented 2 years ago

@thetechnick in your example you are suggesting specifying the pull secret via the subscription, but that is also problematic as the subscriptions for the dependent operators (in all levels of the dependency chain) are created by OLM itself (as part of dependency resolution) which mean we have no way to specify a pull secret in them.

One way to solve this can be to provide a way to instruct OLM to copy the pull secret information from subscription to subscription throughout the dependency chain.

An alternative way, to handle the entire problem, can be to have a namespace scoped global pull secret (same as the global one, but scoped to a single namespace), which will take effect for all pull operations inside the namespace. I believe this can solve 90% (which include all of the common use cases)